In the section on the standard round, a possible defect in the way in which bytes are interchanged in the middle of the two halves of both the greater and lesser diffusion phases was noted, and changing it to correct the problem, as described, changes Quadibloc 2002E to Quadibloc 2002EC, or to Quadibloc 2002EM, to which all the suffixes indicating variants can be applied.
Note also that the revisions, Quadibloc 2002EC and Quadibloc 2002EM, use the same key schedule as the original Quadibloc 2002E, and the changes to the key schedule for deciphering are also not affected by the revisions.
In practice, of course, Quadibloc 2002EM can be considered to supersede both Quadibloc 2002EC and Quadibloc 2002E, as these revisions correct an unnecessary limitation without making the cipher slower. However, Quadibloc 2002EM does lack a symmetry retained by Quadibloc 2002EC, and it may also be thought that the apparent flaw in Quadibloc 2002E on which these revisions were based is not of genuine importance.
Since Quadibloc 2002E is an attempt to produce an "ultimate" block cipher, a number of variants are described here.
In the introductory section, two possible ways to derive a practical cipher from Quadibloc 2002E by excluding portions of it were noted, and these are now specified as Quadibloc 2002E DC, in which the complicated core rounds are largely replaced by greater diffusion phases, and Quadibloc 2002E SR, in which the standard rounds are eliminated, and only the standard rounds are present.
A variant using the elements of Quadibloc 2002E to produce a cipher with a 256-bit block size, Quadibloc 2002E W, is also noted, along with further variants Quadibloc 2002E WS, Quadibloc 2002E WD and Quadibloc 2002E SD.
Another way of improving Quadibloc 2002E, by adding a modified form of the very complex round from Quadibloc 2002, is given as Quadibloc 2002E U, and a variant which combines this with a 256-bit block size, Quadibloc 2002E WU is also given.
Several variants involving changes to the combiner operations to further improve on these variants are then given; Quadibloc 2002E RA, Quadibloc 2002E RC, and Quadibloc 2002E RR.
Five further variants, Quadibloc 2002E ES, RE, RS, RO, and WR, involve other alternatives in combining the basic elements of Quadibloc 2002E and its variants.
Finally, a development of the revision Quadibloc 2002EM is noted, Quadibloc 2002EA, which unlike the other revisions, requires additional rounds and thus revisions to the key schedule. This is, therefore, a variant, but it is designated using a revision code because it may be combined with any of the other variants.
The variant Quadibloc 2002E SR, which uses only the standard rounds, can be thought of as an improved version of Quadibloc 2002A, and as it is only slightly more complex than Quadibloc 2002A, which is in turn only slightly more complex than Rijndael (in some respects; it is simpler to understand than Rijndael, since it avoids advanced concepts like Galois Fields), it could indeed be considered for actual use. It offers quite a bit of nonlinearity, and the key schedule is secure.
The same cannot be said, of course, for regular Quadibloc 2002E. The core rounds are far too elaborate for it to be possible that any future circumstance would make it desirable to use a block cipher of that complexity. The same is even more true of such variants as Quadibloc 2002E WS or Quadibloc 2002E U, which can, I admit, be legitimately be described as far-fetched, if not even simply as insane. However, if it can be found that there are exploitable weaknesses in such elaborate designs, that certainly would mark an advance in the cryptanalytic art.
Also, just as is the case with IDEA and Rijndael, the design of this cipher, particularly the Quadibloc 2002E U variant, is illustrative of the techniques that can be used to give a cipher the property that only the key schedule needs to be altered to produce the deciphering algorithm.
If one wishes to be *really* insane, of course, one could modify Quadibloc 2002 WS so as to have 257 standard rounds performed on the left half of the block first, then the intermediate results transposed according to a key-dependent bijective S-box before being used in 256 core rounds performed on the right half of the block. Do *that* four times, swapping halves of the block. For decipherment, one takes that S-box, and reverses the order of its elements, and then replaces each element by 256 minus the value of the element. The resulting 1026-round (or 4-round, depending on how you count them, or, rather, on what you count) block cipher ought to be secure. One problem, of course, is that the key schedule is likely to run out of steam producing all the subkeys needed; maybe something could be worked out using Blum-Blum-Shub.
Something simpler along these lines, using either a single greater diffusion phase or a single core round, with a 32-element bijective S-box, involving some sort of cipher that produces thirty-two 32-bit intermediate results on the right 128-bit half of the block would not actually sound unattractive to me. Somehow making the permutation data-dependent, of course, would be de rigeur in the sort of overly elaborate designs I amuse myself with.
Start of Section
Skip to Next Chapter
Table of Contents